Article contributed by our Trusted Partner PGI

Have your friends and colleagues had their COVID-19 vaccine jab yet? Well, don’t worry about waiting for them to tell you because you can find out from the NHS Digital booking website directly…sort of.

The Guardian reported in early May that NHS Digital had to revise its process for booking COVID-19 vaccinations in England after it was discovered that anyone who had basic identity information about another person, could actually see their—usually confidential—vaccination status.

How could no one have picked up this vulnerability before the website went live? Well, it’s not as simple as pop in some details and see a status, it’s more about how the system responds to user actions. In this case:

• For those users who were yet to receive their jabs, they were sent through to a “standard screening page”.
• A user that had had their first shot and a booking for their second, were sent to a screen asking for their booking reference. And if you hadn’t booked your second, you could do it there and then.
• For those lucky enough to have received both jabs, they were automatically sent to a page letting you know that you’ve already had them.

And this is all without logging in or providing further verification about who you are. This is one form of ‘data leakage’ and it’s not the only example of it.

Why is data leakage a problem?

Imagine you’ve forgotten your password. You’ve tried a couple of different variations of passwords you often use (we’ll talk about your password hygiene later) and neither of them work—the system or website you’re using comes back with: ‘Password incorrect for this account’ each time. That’s good to know, right?

So, you click the trusty ‘Forgot my password’ link and it takes you to a new page to enter your email address. On entering, the status comes back as ‘A password reset email is on its way’. Brilliant, you can now change the password and Bob’s your uncle.

But wait, in the battle of ‘user experience’ versus ‘security’, this system or website has now told anyone who put your email address in that you have an account. At that point, they could try to brute force the password or perhaps they already found your login details from another website on the dark web and they will just try that combination.

Of course, this is often fairly harmless (especially if you have good password hygiene), but what if an association with that website or platform wasn’t so harmless—let’s take the Ashley Madison example from a few years ago; whether it’s a malicious actor or not, just knowing that an account exists is more information than they should have, because the context is just as much of a problem as the actual leaking of information.

Fixing the leak

The first step in fixing this type of accidental data leakage (i.e. technical) to protect your customers (and by extension your own operations, reputation and bottom line), is identifying the holes.

Security testing will help you achieve this, specifically penetration testing. While a vulnerability assessment may identify a problem, what an automated scan cannot do is provide context. A human can identify a security failing and has the capacity to apply context to be able to understand if this implies a problem. This is the sort of awareness that a computer is unable to provide, and why humans are part of an effective penetration test.

An example of this is a Penetration Tester testing for business logic flaws as part of a web application test. So, business logic requires both an understanding of the technology and of its wider context; i.e. someone knowing that you have an account with Sainsbury’s is fairly low risk, whereas someone knowing you have an account with a more ‘discrete’ website may be problematic. It’s a bit like knowing that technically a tomato is a fruit, but it doesn’t really work in a fruit salad.

In combination with testing for business logic flaws, Security Consultants will likely follow the OWASP (Open Web Application Security Project) Top 10 – an industry standard checklist that represents what are broadly considered to be the most critical security to web applications.